[Full-Disclosure] Mcafee Spamkiller 5 spam filter bypass

From: Gregh (chows_at_ozemail.com.au)
Date: 07/16/04

  • Next message: Daniel Hedblom: "Re: [Full-Disclosure] New Attack on Secure Browsing" 
    To: "Disclosure Full" <full-disclosure@lists.netsys.com>
Date: Fri, 16 Jul 2004 14:23:12 +1000

    This one reported to Mcafee a short time ago, this day. They don't see it as
    a bug, however.

    Enter a valid name into your FRIENDS list. Say "John" (john@this.site.com)
    is the entry. Now put an entry in ACCEPTING email from any email address
    where the received line has a certain phrase in it. Eg, you may wish to put
    "Netsys" for example. Now, any email that comes in with the name "John" so
    long as it has "Netsys" in received will be accepted not because of the
    presence of "Netsys" but will be received and accepted by Spamkiller 5 and
    marked as having come from john@this.site.com even when the John in question
    will be a totally different From address.

    So what does this mean?

    If spammers can figure out a way to insert the letter "a" into your accepted
    rules and keep on sending FROM names (not from ADDRESSES) using the same
    name as one already in your friends list, you can bypass spamkiller's other
    entries entirely, thus making it totally useless. Now as most Western
    hemisphere people know a person called "John" or "Joan" and as most people
    don't supply surnames with their first name in email, all it is going to
    take for Spamkiller to be bypassed is for spammers to figure out how to
    insert a rule into spamkiller 5 accepting any email that has a RECEIVED line
    with the letter "a" in it and make sure that they have a spoofed RECEIVED
    with that letter in it.

    So please tell me - if anyone knows - why the HELL pay for Spamkiller when
    it is so easy to bypass? Damned if I know why I did, now!

    Greg.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Daniel Hedblom: "Re: [Full-Disclosure] New Attack on Secure Browsing"

    Relevant Pages

    • Re: Relativity as an axiomatic system
      ... >> Bill Hobba writes ... The reason such an absurdity was accepted was because Physicists were ... The more bizarre it gets the cleverer they think they are in accepting ... John Kennaugh ...
      (sci.physics.relativity)
    • Re: Semi-Sophisticated Contest Week 1 Results
      ... Thanks for accepting my entry. ... Was I the only one to send it in private? ... I'll post it on RSS from now on. ...
      (rec.sport.soccer)
    • Re: MCSE: Security requirements
      ... John R wrote: ... Microsoft has discontinued accepting all 3rd party certifications except those from CompTIA. ... I was also informed that requests have been sent to the technical team to remove the CISSP, CISA, etc from the certification planner. ... I had heard that they were not accepting any NEW 3rd party's, but not that they stopped accepting one's they already had. ...
      (microsoft.public.cert.exam.mcse)
    • Re: Great t-shirt...
      ... John H ... be more accepting of the truth. ... Post a current photo of YOU, let's compare, if you dare. ...
      (rec.boats)
    • Re: AUTOTEXT PROBLEM
      ... It sounds as if you're accepting Word's default name for the entry (which is ... Word MVP FAQ site: http://word.mvps.org ... will only gather Clause 1 details, if I try to include the other two the ...
      (microsoft.public.word.docmanagement)